Antivirus software is known to be used in the art for counteracting computer security attacks, including Man-in-the-Browser and/or Man-in-the-Middle and/or Bot attacks.
For example, Man-in-the-Browser is a type of attack that consists in direct manipulation of the Web browser to change the contents that are normally displayed to the user when he/she visits a Website (see FIG. 1). Man-in-the-Browser (MitB) attacks are carried out using malware installed on the computer without the user's knowledge. Such malware (e.g., Proxy Trojan horses) interact with the memory of Web browser processes, to redirect the normal flow of system calls (used by the Web browser) to certain malware functions, which have the purpose, for instance, of injecting additional HTML code into the downloaded Web page. It should be noted that, in the case of the Man-in-the-Browser attack, a connection is established with the original Web server of the site that has been attacked, which makes attack detection difficult. Therefore, the Web browser and the Web application are unable to identify the contents that has been added by the malware to the contents that has been actually downloaded by the Web browser. Various Man-in-the-Browser attacks have been acknowledged, including credit card data theft from e-banking and e-commerce sites and fraudulent transactions that are often automatically started with no interaction with the user.
More in detail, when a user requests a Web page (i.e., a Web application) through a Web browser, the Web server that hosts the Web page sends a HTML source code (a Document Object Model, DOM) to the Web browser. The DOM code is transferred to the rendering engine of the Web browser for display to the user. For example, in a malware-infected PC, the DOM code received by the Web browser from the Web server is changed by the malware before it is processed by the rendering engine of the Web browser. For this purpose, the malware injects an additional code (e.g., a script) into the DOM code it has received from the Web server to change the contents displayed to the user. The changes made by the malware to the DOM code downloaded from the Web server are changes in the HTML and/or javascript codes and/or any other contents or Web resource. In other words, the Web browser is connected to the original Web server while the malware makes changes to the downloaded DOM code. These changes may include graphic and/or behavioral alterations. Therefore, a Web page is displayed to the user, which has been changed in its behavior and/or graphic representation, from the Web page that was originally requested by the client. The client unwillingly allows access to its own personal data or authorizes fraudulent transactions on his/her own account.
For example, in the field of banking, a malware-infected computer typically logs into the on-line banking site using a HTTPS protocol, and downloads the Web page data. Nevertheless, the malware alters this data in real-time, by adding transaction-manipulating scripts, and performing, for instance, automatic data transfers. The script can also redirect money transfers that were actually ordered by the user to other recipients, or more simply request credit card data and/or add additional fields to be filled in by the user with additional data.
A further example is the Bot attacks, as shown in FIG. 1. These attacks consist of page requests that come from an automatic system instead of a person. This may involve a huge bandwidth consumption for the service provider. Furthermore, automatic systems may use the service in undesired and unlawful manners. Examples known in the art are Web scraping (i.e., extraction of information from the Web service), Carding (i.e., the process of validation of stolen credit cards) or the Brute-force attack (i.e., the attempt of searching for the credential of a user in the login page of a Web application).
U.S. Patent Application Publication No. US2002/0166051A1 discloses an encryption function performed on the DOM code of a Web application. The DOM code is available on the Web server in combination with a decryption program. When a user requests the Web application, an encrypted DOM code is provided in response to such request. This encrypted DOM code cannot be rendered by the client that requested it. This is because only an authorized client may access the decryption program available on the Web browser, which allows it to decrypt the DOM code in order to access the Web application.
Antivirus software, installed either on PCs or on client user devices (e.g., smartphone, tablets, etc.) are poorly effective against this type of computer security threat. Antivirus software can only identify part of Man-in-the-Browser attacks occurring over the Internet. Web browsers are also known which meet high security standards or have Internet security software. Nevertheless, none of the prior art solutions can effectively counteract Man-in-the-Browser and/or Man-in-the-Middle and/or Bot attacks.
For example, even when DOM codes are encrypted, decryption codes can still be obtained through attacks directed to the Web server that contains the decryption program. Furthermore, although the code is encrypted, it is still immediately provided to the client that requests it. Therefore, attacks are still possible, because there is a high risk that decryption keys may be identified by individuals who make such attacks.